Forgot your password?
typodupeerror
Security

Archive Formats Kill Antivirus Products 115

Posted by kdawson
from the fuzz-in-the-zip dept.
nemiloc sends us to the F-Secure blog for breaking news about widespread vulnerabilities in programs that process archive files: "The Secure Programming Group at Oulu University has created a collection of malformed archive files. These archive files break and crash products from at least 40 vendors — including several antivirus vendors... including us." Here is test material from OUSPG and a joint advisory from Finnish and English security organizations. It isn't news that security products can have have security vulnerabilities. What makes this advisory important is that antivirus software is a perfect target. It is run in critical places with high privileges and auto-updates to keep versions coherent.
This discussion has been archived. No new comments can be posted.

Archive Formats Kill Antivirus Products

Comments Filter:
  • by Anonymous Coward on Tuesday March 18, 2008 @02:08PM (#22785666)
    Windows can crash over 9000 products.
  • by SpaceLifeForm (228190) on Tuesday March 18, 2008 @02:10PM (#22785684)
    Is probably more secure.

    I don't need to mention names, you know.
    • by PC and Sony Fanboy (1248258) on Tuesday March 18, 2008 @02:12PM (#22785724) Journal
      ... if only that secure platform was more customizable and less fruity.
    • by JeanBaptiste (537955) on Tuesday March 18, 2008 @02:14PM (#22785756)
      Cool. I need to run MS SQL server, it's the only one that my company's workflow software will run on. Also our enterprise app is all written in ASP. We also have lots of Exchange users. It would probably take years and years to convert all these things over to something else, probably with downtime and data loss.

      Your 'solution' may work for some, but probably not for most, and for the rest of us, thats what these articles are posted for!
       
      • by TheRaven64 (641858) on Tuesday March 18, 2008 @02:21PM (#22785866) Journal
        That's okay, the money has already been allocated, because you factored in the cost of migrating away from the platform as part of the TCO. You did include migration costs in your TCO calculations when purchasing the workflow software and Exchange, right?
        • migration generally does not mean an entire re-write of everything from the ground up, which is what this would be.
          • Re: (Score:3, Informative)

            by Neil Hodges (960909)
            You had to write it up the first time with Exchange (and so forth), didn't you? Wouldn't that have added to the 'TCO' of setting up your first system?
        • No. We factored in the costs of losing our jobs because the PHBs wanted Exchange.

          Seriously. I love Linux, but treating people like they're morons for having to support a Windows system is unrealistic.
          • There is only one good thing about small town
            There is only one good use for a small town
            There is only one good thing about small town
            You know that you want to get out

            When you're growing up in a small town
            You know you'll grow down in a small town
            There is only one good use for a small town
            You hate it and you'll know you have to leave

            -Lou Reed
      • by Ed Avis (5917) <ed@membled.com> on Tuesday March 18, 2008 @02:43PM (#22786174) Homepage

        I need to run MS SQL server, it's the only one that my company's workflow software will run on.
        Have you investigated porting to Sybase? It's pretty similar.

        Also our enterprise app is all written in ASP.
        Have you looked at Chili!Soft ASP? Or if you're using ASP.NET, Mono?

        We also have lots of Exchange users.
        Gotta admit, this is harder to migrate from once all your data is locked up in those binary PST files.

        But you have a point that many people, yourself included, are stuck with Windows. It wouldn't be easy to migrate. Much more convenient to buy some crappy virus scanner and keep the plates spinning.
        • by Skater (41976)

          We also have lots of Exchange users.
          Gotta admit, this is harder to migrate from once all your data is locked up in those binary PST files.
          My workplace is soon switching from Domino/Lotus Notes to Exchange/Outlook.

          I'm not sure whether to laugh or cry.
          • by monsted (6709)
            Laugh. Even if Exchange/Outlook is the root of all evil (i quite like it, actually), it's still a far better product than Notes.
            • by Zeromous (668365)
              Try being migrated from Outlook to Notes. That's the closest thing to 'a woman's pain'.
        • by prshaw (712950)
          >>once all your data is locked up in those binary PST files

          I have heard this mentioned a few times. Where are these binary PST files? Is that where the exchange server is storing everything in? One big PST file?

          I know that one my home system we don't have PST files on the workstations, all the data is stored on the exchange server and I cannot find any PST files there. I need to find them so I can get them backed up. Otherwise the Exchange backup's that I do make probably aren't worth much.
          • by Drantin (569921) * on Tuesday March 18, 2008 @05:08PM (#22788054)
            Normally, in order to keep the system functioning nicely on large systems, the users will have mailbox limits, in order to keep older mail they create personal archive files (or whatever they're actually called) These archives with the extension of PST allow them to move mail from the exchange server into them and they have room for more mail while keeping the old stuff...
            • ...but those PSTs can make E-Discovery a real pain in the ass.
              • by sBox (512691)
                Depends on your needs. If regulations require you to retain x amount of years worth, then you should invest in an archiving solution. There are reasonable solutions out there.

                Another way is to put the psts on the file server and either use a backup software with open file capability or force logouts to disconnect users who leave their Outlook running during backups.

                Yet another way is to configure an archive mailbox on Exchange and have a client pop it off to a single pst to backup. This way you don't hav
        • Re: (Score:1, Troll)

          by beckerist (985855)
          Sybase / Adaptive Server Anywhere (as it's called now) is NOT ANYTHING like MSSQL. OLE DB vs ODBC, MSSQL requires an insane amount of resources comparatively, many syntax differences including table referencing, restoring, OS commands (ASA can run in Linux.)
          Licensing for ASA is about 20% the price of MSSQL. MSSQL CAN do indexed views and multiple triggers, where ASA cannot. Naming conventions are shorter in ASA.

          Also, don't even get me STARTED on security. I work for a software dev company that uses both pl
          • by deroby (568773)
            Funny, I "grew up" on MSSQL (6.5 and up), and although I'll admit that 2005 and 2008 are starting to look more like a development platform rather than a RDBMS, my experience with Sybase (ASA) has been more or less identical to yours towards MSSQL.

            I guess it all comes down to what you're used to. IMHO both are adequate at what they do, it's just that none of us likes to change / turn-away of what he knows best.

            PS: a "few" years ago (around 2002 I think) we spent several months working with some (very smart)
          • by Ed Avis (5917)
            You're talking about Adaptive Server Anywhere (ASA) but the one that shares a lineage with MSSQL is Adaptive Server Enterprise (ASE). They are different products with different codebases.
      • Re: (Score:3, Interesting)

        Also, this isn't a FOSS vs. Microsoft thing even though many people make it out to be. For maximum protection against malware I'd actually go for Oracle on Solaris or AIX, all of which are closed source.
      • by IllForgetMyNickSoonA (748496) on Tuesday March 18, 2008 @03:53PM (#22787118)
        This is a usual argument, I know. However, each time I read it, I can't help but to ask myself "whose fault is it?" The answer is obvious, isn't it?

        It's unfair to pretend non-MS solutions are somehow expensive because it's so hard to break free from MS once you allowed yourself to get hooked into their proprietary world. You could just as well have developed your enterprise apps in something other than ASP, haven't you?

        OK, I know I'm probably barking up the wrong tree here - probably it's not *your* fault after all. But I guess you know what I'm trying to point out.
        • by WNight (23683)
          That, and what's the cost to reimplement the system or port the data knowing what you now do?

          Even if Outlook/Exchange were totally a black box, you could still write a screen scraper (like UI testing apps do) and export the data as maildir + data which could be stored in a DB, for anything not email related (calendar, etc).

          You might have a huge clunky 500kloc business system that is essential to the company. But could it be replaced by an off-the-shelf CRM, issue-tracking, and a much smaller leaned reimplem
      • Indeed. It is your fate to be a terrible warning to the younger generation of the perils of locking yourself into a single vendor's closed proprietary system. If you make a ginormous effort it might be possible to get it replaced with a libre alternative, but doubtless there will be interop and TCO reasons to stay with everything on that one vendor - cos your web apps would need to be rewritten to support the different backend, and then you won't be able to use whatever gold-plated handcuffs MS have up thei
      • by icydog (923695)

        I need to run MS SQL server, it's the only one that my company's workflow software will run on.

        What is this software that you run? Even Microsoft's own solution, Dynamics AX, runs and is fully supported on Oracle.

    • by Nimey (114278)
      If only I could get my Apple //c on the Internet.
    • Re: (Score:3, Informative)

      by DaveWick79 (939388)
      Did anyone read TFA and realize that of the programs that were known to be vulnerable, the majority were various brands of Linux?
      • Re: (Score:3, Insightful)

        by orclevegam (940336)

        Did anyone read TFA and realize that of the programs that were known to be vulnerable, the majority were various brands of Linux?
        Actually Linux isn't vulnerable, but some of the common utilities are. Upgrading bzip2 and tar to the latest versions should fix any vulnerabilities. Also hit hard it seems was Symantec with the common library all their utilities use for handling compressed files being compromised, and hence virtually all of their products across the board.
        • The compatibility list didn't go into detail on what portion of the software was affected. I just noticed that MS was pronounced as unaffected and yet many linux distros were? Just making the point that it's not always MS stuff that gets hit by the bug. I would have thought that whoever made the bzip2 and tar software would have been mentioned rather than the distro if that were the only issue.

          Actually the article linked to stated that Symantec tested all their products against the bug, and found that it
          • I need to go back and find the link, but if you click around a bit you can get to one of the security releases that has a more detailed list of affected products (including listing not only tar and bzip2, but the versions that fix the bug being exploited).
            • Looking back at the original link it does list Symantec as not being affected, so maybe I'm thinking of another vulnerability. Their were two actual security releases based on this, one involving a buffer overflow, and another involving uncaught exceptions that lead to program crashes, so maybe it's only vulnerable to one of those. Or maybe I'm just confused and it's an entirely different security advisory I'm thinking of. This link [www.cert.fi] does list 7-zip, and bzip2 (and tar, but it will depend on which version of
              • This was the same link I was looking at. Drilling down a bit it looks like the problems are related to the libarchive program included in SUSE, Debian, Gentoo...
    • by rtaylor (70602)
      Really? Any platform that allows you to execute binaries, scripts, or other code as a normal user with minimal permissions is going to be a problem.

      Oddly enough, people don't care about the OS. They care more about the data files in their home directory than anything else.
      • by Torvaun (1040898)
        That's not odd, an OS is easy to replace. Data is where things get difficult/expensive.
  • Question (Score:2, Funny)

    by TheMeuge (645043)
    So is this evolution, or intelligent design?
    • So is this evolution, or intelligent design?
      Neither. It's ignorant design (of the archive handling software, of course).

    • IMO, it is evolution, since it appearsto be a challenge-response environment, they did not design viruses from the start to crash antivirus software 30 years in the future.
  • ... isn't a real-time scanner going to catch it when you try to extract/use it?
    • Re: (Score:2, Informative)

      by thyrf (1059934)
      It needs to be identified as such first anyway and that's what's crashing it.
  • by davidwr (791652) on Tuesday March 18, 2008 @02:21PM (#22785876) Homepage Journal
    There's

    1. "I had an exception processing file ABC.ZIP, skipping file,"
    2. Crashing and dying without handling the exception, and
    3. Being exploited due to an unexpected condition.

    The first lets viruses hide in carefully-mis-crafted archives.
    The second lets viruses deactivate antivirus software.
    The third lets viruses 0wn j00.

    Some AV software is smart enough to log instances of #1.
    • by heson (915298)
      I remeber vaguely that mailscanner/clamav did
      0. Exception processing hotbabe.zip, removing attachement.
  • "It isn't news that security products can have have security vulnerabilities."

    While two negatives make a positive, two positives do not make a negative.
  • RIP Symantec AntiVirus; Oh AVG, how I will miss you!
  • Old Problem (Score:5, Informative)

    by Detritus (11846) on Tuesday March 18, 2008 @02:28PM (#22785996) Homepage
    Similar problems have appeared in other file formats and packet formats. Even without deliberate attacks, data corruption can crash applications and systems that are insufficiently paranoid about the data that they receive and process. Do you want it fast or do you want it correct?
    • Re: (Score:3, Insightful)

      by Xtravar (725372)

      Do you want it fast or do you want it correct?
      Do I want it fast 99.99999999% of the time with a 0.00000001% chance of incident, or do I want it slow 100% of the time with a 0% chance of incident?

      If correcting the repercussions of the incident takes less time than the total time lost by doing things the correct way, then I will take the fast way, please.
      • Re: (Score:3, Insightful)

        by DRAGONWEEZEL (125809)
        You just did "Cost benefit analysis" or sometimes called Risk Analysis.

        That is the same thing that says, do I leave an unsecured wireless AP, or a lightly secured WEP AP that shows I did at least due dilligence?

        For personal Machines, I'd take the fast way, for shure, assuming data is backed up regularly.

        For corporate machines,(in general,Caveat emptor, and risk assesment would need to be performed on a per machine basis.) I wouldn't trust an icecubes chance in hell (hey, what if Satan has a freezer?), it'd
    • Older than you think [mitre.org], perhaps.

      What really gets me is that every couple of years the University of Oulu Secure Programming Group comes out with another few dozen application vulnerabilities they've found by just fuzzing a new protocol. First they did SNMP, the ASN (part of OpenSSL, to a first approximation), H.323 ... I don't know who's got tenure over there, but damn! I'm glad they're on our side.

  • It is run in critical places with high privileges and auto-updates to keep versions coherent.
    run tar at low privileges, then scan the pipe like a normal file.
    for most files theres no need to give the scanner an privaleges
    only needs read access to itself and system files 90% of the time.

    in fact even on windows, why do virus scanners need high privileges?
    • so they can scan stuff at system level, update them selfs without need a admin to log on to the system, to be able to delete files, make it so that limited uses can trun off the scanners/ and so on.
      • But it wont need root to scan them, it only needs root to act on the results. Surely a master process can run the tar, scan programs, then if it finds a file decides if it needs root to fix it, if it does, then it launches fixer with root privileges. As for auto-update, a similar technique could be employed, although with advance user privileges (i think vista has them), you could launch an update program without root, but with access to update the program and nothing else (especially not itself).

        I always a
    • by afidel (530433)
      I'm guessing it's because they run as a filesystem filter driver and so need privileges to attach to the filesystem layer. They also need to poke about in memory and attach to running processes (eg attach to Outlook to scan incoming mail). It should be possible to separate the data capture portion from the analysis portion but it would probably be much harder to design and test.
      • isnt that exactly where a unix aproach would pay off.
        a root outlook looker, looks at outlook (but the looker is small so hard to exploit)
        a non-root unzip, unzips and passes it on
        a non-root scanner, to scan the file then pass on the conclusion
        a root cleaner, to take any actions (may not even need root)

        by reducing the code that runs with root privileges you reduce the chances of an exploit in root code.
    • Re: (Score:3, Informative)

      by Ephemeriis (315124)

      in fact even on windows, why do virus scanners need high privileges?

      Typically, on a Windows system, antivirus software will embed itself into the operating system fairly deeply. They usually scan all file I/O in real-time, watch memory for suspicious things, and sandbox much of what is run. It isn't as simple as just scanning files here and there. Most Windows antivirus software installs itself (or parts of itself) as a service and starts running even before the shell comes up.

  • Hrm (Score:5, Informative)

    by Shadow-isoHunt (1014539) on Tuesday March 18, 2008 @03:19PM (#22786658) Homepage
    • Re: (Score:2, Informative)

      PS: Forgot http://www.securityfocus.com/bid/28285/info [securityfocus.com]
    • They're distributing a cd image containing a set of .tar.bz2 archives, despite having found at least 2 defects in .bz2 software.

      They do mention using using ICEOWS to decompress under Windoze, but don't endorse it or guarantee it will work:

      "One suitable tool for Windows environment is ICEOWS, available at no cost. Note that each x.tar.bz2 package is first decompressed to a x.tar file, which is then similarly decompressed into a directory x containing the files. Note that OUSPG neither endorses any decompress
  • Bad programming (Score:3, Interesting)

    by dabadab (126782) on Tuesday March 18, 2008 @03:26PM (#22786738)
    You DO test your product with malformed archives, don't you? I know I do. And our product - if possible at all - ignores the problems and extracts the archive anyway or if it's borked beyond recovery then report it as such. But crashing?... Please.
  • Fsecure blog just reported more breaking news: It could rain today......

    It has been years since the viral jpeg, pdf, etc, etc, and viruses have been getting packed in archival formats to avoid detection for ages. I can't say this is earth shatteringly surprising news.
  • A zip file can crash the anti-virus software when it tries to scan it? Is that what this is about? But why does it have to be an archived file, and not just any file? I was under the impression that any file could possibly crash any program that trips over an unexpected error....

    Also if you need to unzip a random file for the virus to release, then how is that much different from your typical .exe attachments that you're not suppose to execute.
  • by mrmeval (662166) <mrmeval@NOSPam.gmail.com> on Tuesday March 18, 2008 @06:26PM (#22788974) Journal
    My favorite is using pkzip to zip up a ~200meg+ file to kill automated virus checkers. ;) The harddrives in the hey day of command line pkzip were small and this would kill some twits BBS because the virus checker would blindly unzip the file then check it without checking that it would fill the drive. The next version of the software just looked at what the zip file said..but you could edit the zip to say anything and it would still decompress the whole file.
    The next version did fix that finally...for pkzip. ;)

    Using social engineering that is rather inept by todays standards I convinced several people on usenet to not read the text telling that it could cause problems but to just blindly open the doubly zipped file (it gets smaller when doubly zipped a certain way so I made it 2G to start).

    I did the same thing with PGP which could allow one to kill an encrypted anonymous remailer and I also nailed several people by posting the PGP message with a passphrase. PGP compresses files prior to encryption. I didn't mess with the remailer without asking permission. The person running it was a bit surprised.

    Linux commands:
    dd if=/dev/zero of=hi bs=1024 count=200512
    zip hi.zip hi
    Result -rw-r--r-- 1 bogus bogus 199411 2008-13-48 18:04 hi.zip

    zip -9 ho.zip hi.zip
    Result -rw-r--r-- 1 bogus bogus 846 2008-30-81 18:13 ho.zip
    I'm not sure why but using -9 to start does not make the original super small it only works the second time.

    If you want to assault a fractal compressor, just insert a non-finite automata and have at them. You get points if it's video and draws frame after frame of something inappropriate.

    • by Endlisnis (208453)
      The reason why it needs the second run for a big file full of zeros is because of how that style of compressor works. It looks for all repeated patterns in the file and replaces them with references to each other. But, after a while the pattern list gets so big that it gives up that block and starts from scratch for the next block. But, with your file, ever block ends up being the same "9000 zeros", so the second time through, it sees each block as a repeated pattern and can compress that.

      I theory, incre
      • by mrmeval (662166)
        Thanks for that. I could not figure out how the format worked and am pretty bad at programming. I felt there had to be a way to hand craft a 'compressed' file that would work and could produce any file size I wanted but I lacked and still lack the skills to do it.

  • Isn't a program that compromises your antivirus and makes it attack your system an autoimmune disease? It could be lupus!

There is hardly a thing in the world that some man can not make a little worse and sell a little cheaper.

Working...